Description of problem:
After having a cert renewal failure on 7.2 master (due to loss of tracking on all certs), this replica was promoted and then used to renew its own certs.
It has been failing to install replicas, with issues stemming from what seems to be an extra ldap certificate?
Version-Release number of selected component (if applicable):
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
-- This was updated to latest IPA packages, but it did not update the base RHEL as part of the yum update ipa-server
Thanks for the clarification about the change on the DN encoding.
From our prospective the troubleshooting process we went through in the last few weeks made clear that taking the faulty IPA systems to a stable and reliable status is very difficult if even not possible at all.
We have decided to perform an installation from scratch of a new IPA environment to reduce the risk in future of having same issue or other related issues.
A short summary of the step we are currently following is:
1. perform a fresh install of IdM/IPA, and instead of setting the Winsync using Trust configuration
2. create new domain as a subdomain of our corporate Windows AD (unix.phe.gov.uk)
3. sign the IdM/IPA root CA cert with the PHE AD root CA cert, so that clients can have a valid trust path for IdM/IPA issues certs
4. create a one way trust from the IdM/IPA to the PHE AD so that existing AD users can authenticate to IDM
5. run both IPA systems in parallel (the faulty and new one) and migrate things over in a controlled manor
Once we'll complete all the above step and all clients will be successfully migrated to the new IPA, we are keen to help - if you think it could be any how useful to resolve this bug - with performing further tests or apply patch to our faulty IPA system to test possible solution (maybe useful for other users).
for the workaround the the CA's CS.cfg, note the order may be important:
may not have the same effect
*** Bug 1415852 has been marked as a duplicate of this bug. ***
 - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Per RHEL 7.5.z/7.6/8.0 Triage: 7.6
alee: looks like it was tied to a customer case. Need to confirm if this case is active.